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ABSTRACT 

A matter of great concern in the design and operation of multi-engine rocket propulsion systems is the effect of the premature 
shutdown of one engine on the vehicle. This probability that a premature shutdown will cause a vehicle loss is termed ^correlation? 

Based on airbreathing experience as well as rocket engine data the best estimate of this ^correlation* is made and then applied to 
the overall multi-engine reliability problem to demonstrate its potential effect. At this point, follow-on analyses are pointed out that 
illustrate how any potential failures that may cause a “correlatable” event can be eliminated; thus bringing this correlation to almost 0. 

INTRODUCTION AND BACKGROUND 

Rocket propulsion reliability and safety is a matter of great concern since the Shuttle and Titan incidents. The achievement of 
future space goals hinges on the ability to reliably launch payloads to low earth orbit to support the Space Station, Space Defense 
I nitiative and communications needs. While the Shuttle and Titan solid propulsion were responsible forthese incidents we will concern 
ourselves with liquid rocket propulsion in this paper. Current liquid rocket propulsion systems possess an average .96 mission 
reliability (or 4/1 00 failure rate) . In addition, when one of the engines in a system fails, it may affect the operation of the entire vehicle 
The probability of a premature shutdown causing a vehicle loss is often referred to as correlation. 

TURBOJET ENGINE HISTORY 

Looking first at the history of engine-caused mishaps across both single, dual, and multi-engine aircraft tells us immediately that 
multiple engines reduce engine caused vehicle losses (Figure 1 ). This is due to the ability of an aircraft to operate for sometime with 
one engine out. Indeed, even with single engine fighters after losing power a pilot very often can land safely. In fact, in the commercial 
arena it is an FAA requirement that an aircraft be able to sustain flight with one engine out — even on takeoff. 


MULTIPLE ENGINES REDUCE ENGINE CAUSED MISHAPS 
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Figure 1 

Class A Mishaps Reduced With Multiple Engines 
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ESTIMATED AS AB^^T^/VoO^Affl 1 FR0M AVAILABLE USAF/USNAVY DATA SYSTEMS 




The estimated correlation so calculated is summarized below on Table I, and we see that across all of these dual and 
multi-engine applications the “correlation" is <1%. 


Table I 

CORRELATION IS < 1% FOR 
USAF AND US NAVY EXPERIENCE 


A/C-ENGINE 

CORRELATION 

F/15/F100 

.9% 

F11F/TF30 

.4% 

F14/TF30 

.4% 

F111B/TF30 

.4% 

A— 4/ A-6/E A6B-J 52 

.06% 

F-4/J79 

.08% 

T38/J85 

.03% 

A-10/TF34 

.07% 

B52/J57 

.8% 

C-1 35/TF33 

.3% 

KC-135/J57 

.9% 


ROCKET HISTORY 

Now let's turn to rocket propulsion systems. Again, we need to know the single engine reliability. This reliability forthe SSME, FI , 
J2, TITAN, and RL10 is illustrated in Figure 2. 



Figure 2 

Simple Engine cycle Provides Improved Engine Reliability 


Several interesting observations can be made from this plot. The single engine reliability seems to be correlated with type of 



rocket engine cycle: 


Cycle 

Characteristics 

Reliability 

Expander (RL10) 

Low operating pressures 
& temperatures 

.998+ 

Gas generator 
(FI, J2, LR87/91 ) 

Moderate operating pressures 
& temperatures 

.94 -.99 

Staged Combustion 
(SSME) 

High operating pressures 
& temperatures 

.93 
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While this is by no means a perfect relationship; since there are other factors involved such as design philosophy, development 
test philosophy, and quality initiatives, it does indicate an overall trend of higher complexity - lower reliability that intuitively makes 
sense. 

Let’s go on to look at rocket propulsion history in terms of engine caused failures and engine caused catastrophic/vehicle losses. 
Table II represents a summary of all data available to the authors in terms of systems, failures, and catastrophic failures. The 
background data was provided by NASA MSFC. The correlation column is simply a ratio of the number of engine-caused catastrophic 
failures to the number of total engine failures. Since rocket engine reliability data (Figure 2) indicates that all rocket engines are not 
created equal; the one way that might be used to combine the data is to average across all systems to indicate an approximate .07 
correlation. Even this average correlation is misleading; however, since it is driven entirely by two systems (Thor/M B3 and Atlas M A3 & 
MA5) and, in fact, is driven by very early design problems in both of these engines. Because of this lack of overall data on 
failures/vehicle losses the SSME ground and flight data from 1982 through 1987 was also analyzed. Based on 51 total shutdown 
events, three of these were of such a nature as to be deemed catastrophic. This then gives a .06 correlation factor (3/15). 

Table II 

ROCKET ENGINE FLIGHT HISTORY 


VEMJCLE/ENGINE 


NO. ENGINES NO. CATASTROPHIC 

IN SYSTEM NO. FAILURES FAILURES CORRELATION 


THOR/MB 3 1 

DELTA/RS-27 1 

ATLAS/MA3&MA5 3 

CEMTAUR/RL10 2 

SATURN/S1-H1 8 

SATURN/S1C-F-1 5 

SATURN/S2-J2 5 

SATURN/S4-J2 1 

SATURN/S4-RL10 6 

SSME 3 


3 1 .333 

0 0 0 

14 5 .375 

0 0 0 

1 0 0 

0 0 0 

1 0 0 

1 0 0 

0 0 0 

1 0 0 


ALL ENGINES ARE NOT CREATED EQUAL, SO AVERAGING 
ACROSS ENGINES / APPLICATIONS THE CORRELATION a .07 


In summary, while the correlation historically is somewhere around 6-7% the number of events that this is based on is so small as 
to make it reasonable to assume that the correlation is most probably bounded from 0 to 10%, but certainly less than 10%. 

This correlation must be taken into consideration in the calculation of propulsion system reliability. Since each engine ignition can 
be considered as a pass-fail or yes-no event (a Bernoulli trial in statistical terms) the reliability of a propulsion system considering 
correlation can be calculated as; y 


R.„i»-j(!')p'(i-p) N -'(i-c ) N - 1 


N = 
K = 


System Reliability p = Single engine reliability 
# of engines in system c = Correlation 
N-ongine out capability 


Using this formula, and varying the number of engines in the propulsion system, Figure 3 illustrates the impact of 1 engine out 
capability on propulsion system reliability. Figure 4 illustrates the effect of correlation on propulsion system reliability for varying single 
engine reliability using a 4 liquid system with 1 engine out capability. 
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COMPARISON OF ENGINE RELIABILITY 
LEVELS, CORRELATION = 0.05 



Figure 3 

Engine Out Capability provides Improved ReBability 



Figure 4 

Reduced Correlation Requires Lower Engine Reliability For Same System Reliability 


The importance of correlation and of recognizing those failure modes that may be catastrophic is readily seen in Figure 4. for 
example, by specifying the propulsion system reliability at .995, the single engine reliability that must be demonstrated could vary from 
.97 to .99. What is the importance of this single engine reliability? Well, if a design/development process is initiated to bring the 
correlation to near zero, the number of system tests to demonstrate .995 system reliability is markedly reduced: 


Correlation 

Reliability Demonstrated 

# Tests w/o failure 


at 90% confidence 

required 

.0 

.97 

76 

.04 

.98 

114 

.10 

.99 

230 
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SOCKET ENGINE HE ALTH MONITORING SYSTEM (HMS) FOR MINIMIZING CORRELATION 


The approach taken for identifying the requirements for a HMS is shown below: 


Health Management 

Systematic Approach to HMS Requirements 

Failure Effect 



The approach consists of: 1) failure identification, 2) effect on system (without corrective action) and 3) corrective action (and the 
effect with corrective action). 

Failure identification consists of a Fault Tree Analysis (FTA), Failure Mode and Effects Analysis (FMEA), review of design criteria 
and failure histories of the components and parts. The FTA is a “tops down” analysis that identifies hazards and reviews failure modes 
in the engine system that could cause the hazard. The FMEA is a “bottoms up" approach that identifies component and subcomponent 
failures and the propagation of the failure through the system into a hazardous condition. The design criteria on limits and failure 
history on life and part failures reviewed to identify additional failure modes. The potential failure modes are then summarized. 

The failures modes are then categorized into three areas: 1) safety (potential catastrophic failures), 2) minor failures (degradation 
in performance) and 3) part wear (project next maintenance). The minor failures and part wear categories will not be discussed in this 
paper. 

The three approaches for corrective action are: 1 ) to design out the hazard so as to prevent the failure mode from occurring, 2) 
contain the failure so that it does not get outside of the engine component or outside the rocket engine and cause catastrophic damage 
to another part of the vehicle, and 3) detect the impending catastrophic hazard and take corrective action. 

1. Example of designing out the failure mode . 

Liquid rocket engines incorporate a heat exchanger for providing gaseous oxygen pressurization to the liquid oxygen (LOX) 
propellant tank. A simplified sketch of the system is shown below: 
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HEAT EXCHANGER 
With Potential Hazard 



GASEOUS OXYGEN TO LOX PROPELLANT TANK 



HOT GASEOUS HYDROGEN (GH,) 


A single failure (crack in the GH2 line) will allow hot GH2 to mix with the oxygen and cause a potential catastrophic failure. 
A modification to the heat exchanger design as shown below prevents the catastrophic event: 


HEAT EXCHANGER 
Redesigned 



The above design change allows the single failure of the cracked GH2 line without causing a catastrophic failure. 

2. Ex a m ple , .o f cont a ining t he failum. 

Liquid rocket engines utilize high pressure turbopumps for providing high pressure propellants to the combustion chamber. The 
high pressure turbopumps contain a turbine, consisting of Disks and Blades. Inthe event that a blade fails, the blade may penetrate the 
turbopump housing causing a catastrophic failure. In this failure scenario the energy contained in the blade (stress) is calculated and 
the turbopump housing thickness (strength) is increased to where the appropriate safety margins ensure that a failed blade is 
contained by the housing. 

3. Example of detecting and taking corrective action, 

Liquid rocket engines utilize propellant valves to control the engine cycle. A simplified gas generator schematic is shown below, 
and the main oxidizer valve (MOV) is highlighted. Assume the gas generator to be operating at mainstage (high power) and the MOV 
fails closed: 
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FGCV GG Fuel Control Valve 
MOV Main Oxidizer VaVe 
FSOV Fuel Shutoff Valve 


O - LOX Propellant 
H - LH, Propellant 

Products of Combustion 


The valve faifcjre creates a flow blockage that dead-heads the oxidizer pump and forces additional oxidizer into the gas 
generator. 

The following transients illustrate the effect on the gas generator operation for a failed closed MOV: 


Operation Showing Failed MOV Without Corrective Action 


Valve Position LOX Turbopump Flow LOX Turbopump Speed 



The effect of the M OV failure, without corrective action, is a catastrophic failure of the oxidizer pump. In this case , the MOV closes 
in 0.3 seconds with the other propellant valves remaining in the opened position. This causes the pump flow to decrease to a very low 
value, but there is still power available from the turbine. The turbine power causes the pump to overspeed above the burst limit. At the 
same time, the additional oxidizer flow. to the gas generator increases the oxidizer/fuel ratio towards stoichiometric levels which 
causes a turbine overtemperature. 

The catastrophic failure can be prevented by detecting the MOV position and shutting down the engine before damage can occur, 
as shown in the simulation plots below. 


119 





Operation Showing Failed MOV With Corrective Action 


Valve Position 


LOX Turbopump Flow 


LOX Turbopump Speed 



As the simulation indicates, when all the valves are closed shortly after the MOV fails closed, the turbine energy is reduced, as 
indicated by the reduced turbine speed; hence, preventing a catastrophic failure. 

SUMMARY 

Each potential failure mode identified can be analyzed and the hazard designed out, contained, or detected and accommodated. 
The described approach illustrates that for those potential failure modes that can be conceived and identified there is a way to prevent 
the failure becoming catastrophic. 

The descnbed approach does not factor in the random failures that occur after the liquid rocket is in operation. The random failure 
modes considered as part of rocket engine manufacturing process are: manufacturing defects, assembly errors and human errors. In 
order to quantify this randomness one has to review the liquid rocket engine manufactures engine operation history to quantify the 
random failures impact on correlation. 
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